Threat Hunting > [T2]: Creating a Custom Detection Rule with MITRE ATT&CK Framework
In this lesson, we will create a custom detection rule in Kibana using the MITRE ATT&CK framework. This rule will help us identify malicious activities like the execution of the Netcat process.
Simulate Netcat Process Execution: First, we will simulate a Netcat process execution. In your lab machine, open your terminal and run the following command:
nc -w 1 -z scanme.nmap.org 20-80
This command will perform a TCP port scan on the
scanme.nmap.org domain on the port range 20-80.
Create a New Rule in Kibana: To create a new rule, go to the global search bar in Kibana and type "create new rule". Click on the first result to open the rule creation interface.
Configure the Rule: Make sure you select the following settings for the rule:
- Rule type: Custom query
- Source: Data View (logs-*)
- Custom query:
process.name : "nc" and event.action : "exec"
Click "Continue" to proceed to the next step.
Set Rule Details: Assign a name, description, and severity level for your rule. You can also add a tag to help categorize the rule. In this example, we will use the tag "Linux".
Advanced Settings and MITRE Mapping: Click on "Advanced settings" and populate the MITRE ATT&CK fields with the appropriate tactics and techniques related to the Netcat process execution.
Schedule the Rule: Set the rule to run every 5 minutes and click "Continue".
Create and Enable the Rule: Review your rule settings and click on "Create and activate rule" to enable the rule.
Testing the Rule: Open the Alerts Dashboard in
Kibana and set the auto-refresh interval to 1 second. Run the Netcat
command again (nc -w 1 -z scanme.nmap.org 20-80) and
monitor the Alerts Dashboard. The rule should trigger an alert after
a few minutes, as we scheduled it to run every 5 minutes.
By creating custom detection rules with the MITRE ATT&CK framework, you can improve your security monitoring capabilities and quickly identify potential threats in your environment.